Re: A Look In the Mirror: Attacks on Package Managers
Russ Allbery <email@example.com> writes:
> There was some discussion of periodically resigning the security archive
> even if there are no updates so that package managers could warn if more
> than X days had gone by without an update to the security archive
> signatures. I don't know if anyone has concrete plans to implement that.
The Release file in the repository has now a Valid-Until field that
invalidates the repository after some time without updates. This can be
used to detect a mirror provided outdated packages.
I am not sure whether APT checks this or not. I hope it does.